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Abstract 


Android is an open source mobile operating system that is developed mainly by Google. It is used on a 
significant portion of mobile devices worldwide. In this paper , I will be looking at an attack commonly 
known as tapjacking. I will be taking the attack apart and walking through each individual step required 
to implement the attack. I will then explore the various payload options available to an attacker. Lastly , I 
will touch on the feasibility of the attack as well as mitigation strategies. 


I. Introduction 

T He tapjacking attack basically tricks the user 
into tapping on an object in the background 
layer by clever positioning of a foreground 
layer that is not tappable. Hence, any user 
touches will be applied onto the background 
layer which is not visible to the user. It is essen¬ 
tially a delivery mechanism and the payload 
can be customised by the attacker. The exploit 
is payload and aspect ratio specific, therefore 
the exploit code will need to be modified de¬ 
pending on the payload desired by the attacker 
as well as the target device's aspect ratio. The 
attack is also limited by the screen real estate 
of the device, I will be elaborating more on that 
in the section on developing the application. 


1. Open the App detail^] page of the target 
app 

2. Tap Install 
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INSTALL 
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II. Exploiting the vulnerability 

I. Payload Selection 

The first step in developing the exploit will be 
to choose a payload. For this walkthrough, I 
will be using the application installer payload. 
We will need to note down the location and 
number of taps a user would make in order 
to install an application. In the case of Google 
Play, the steps are as follows. 


3. 


Tap Accept 



: We can access the app detail page directly through market:// url. Hence, we do not need to search for the app. 
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Hello World, hello Android. 


READ MORE 


Hello World 

needs access to 


Hello World does not require any 
special permissions. Learn More . ™ 


^ Google play 



Hello World, hello Android. 


READ MORE 



II. Developing the application 

Once the desired payload and steps has been 
identified, we can move on to developing the 
application. We would need to create a toast 
activity and have the image overlay the buttons 
which need to be pressed. Toasts are normally 
used to display short text notifications and any 
taps will be filtered down to the background 
layer. Positioning of the toast has to be done 
by trial and error. We will want to use density 
independent pixels (dp) when specifying the 
position so that the exploit code will work on 
devices with different resolutions but same 
aspect ratios. 


The images have to be placed such that no 
image overlaps a tappable area of any previous 
screen. E.g. The image for the install button 
has been shifted to the left slightly so it does 
not overlap the "Learn More" link in the per¬ 
missions page. This minimises the probability 
of the exploit failing. Thus the attack in prac¬ 
tical is limited to 2 to 3 clicks at most due to 
limited screen real estate. Furthermore, the 
attack will also be unlikely to work if the size 
of the button is too small as it will be difficult 
as the victim might not be able to tap the exact 
spot. 
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The next step would involve setting the 
toast to repeat on a loop so that is always dis¬ 
played on the screen and set the background 
of the toast to white so as to obscure the target 
application. 

La 


\_m 


At this point, we might want to include baits 
promising the user an incentive if they tap on 
the image repeatedly We are now done with 
the development of the exploit and it can be 
packaged and installed on the target device via 
an appropriate method. 

III. Attack Impact 

As mentioned in the introduction section, the 
tapjacking attack is a delivery mechanism, 
hence its impact would depend on the pay- 
load. 

I. Installer Payload 

Assuming that the attacker chose to use the in¬ 
staller payload, he would be able to perform a 
privilege escalation through the stealthy instal¬ 
lation of a second app which requires multiple 
permissions that the user did not agree to. The 
exploit app itself does not require any permis¬ 
sions. 


<f • w X 0? .ill 86% i 13:24 

^ Tapjacking Demo 

Do you want to install this application? It 
does not require any special access. 


The second app will most likely request the 
following core permissions. 


1. RECEIVE_BOOT_COMPLETED - Allows 
the attacker to start a service in the back¬ 
ground whenever the phone is restarted. 
Thus the user does not even need to run 
the application. 


2. INTERNET - Allows upload of data on 
the phone to the attacker's server 


3. ACCESS_NETWORK_STATE - The at¬ 
tacker might want to upload data only 
when WiFi is active so as not to use up 
too much quota and raise suspicions. 


Depending on the attacker's motive, he 
can make use of any of the following per¬ 
missions (ACCESS_FINE_LOCATION, CAM¬ 
ERA, RECORD_AUDIO, READ_CALENDAR, 
READ_CALL_LOG, READ_CONTACTS, 
READ_SMS, READ_EXTERNAL_STORAGE... 

) to compromise the privacy of the target user. 

There are a few tactics an attacker 
can use to conceal the attack from the 
user. One of the methods involves re¬ 
moving the app icon from the launcher 
and can be achieved by replacing "an¬ 
droid.intent.category.LAUNCHER" in the man¬ 
ifest file with "android.intent.category.DEFAULT" 
Therefore, the user will not be able to locate 
the app when he swipes through the list of 
installed apps on the launcher. The second 
method is to use a generic name such as 
"Android Update Service" or "Bluetooth Con¬ 
nection Helper". On encountering such an 
application, a user will likely assume that the 
application is part of the Android operating 
system and will ignore the application. 
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II. Alternative Payload 

11.1 URL based Payload 

Apart from the installer payload, which is 
triggered by opening a "market://" URL in a 
webview, other URL based payloads include a 
"http(s)://" and a "tel://" payload. The HTTP 
payload will allow an attacker to open any 
URL inside a webview. The webpage could 
contain a full screen button which could trig¬ 
ger a file download or run code which exploits 
a vulnerability in the webview container. How¬ 
ever, the tapjacking application will need the 
permission to access the internet which could 
raise user's suspicions. 

The "tel://" payload will cause the user to 
silently dial a number in the background. It 
does not have such a high impact on security 
and the worst that could happen would be that 
the attacker programmed the payload with a 
premium number and the user would be left 
with a higher phone bill than expected. 

11.2 Other Intent based Payload 

Apart from URLs, an attacker can also use 
intents to launch other activities. For example, 
the Settings activity can be called up using 
the following snippet of code "new Intent( an- 
droid.provider.Settings.ACTION_SETTINGS)". 
With the Settings activity in the background, 
the attacker can then trick the user into per¬ 
forming various actions ranging from switch¬ 
ing on and off Wifi and Bluetooth to allowing 
installation of apps from unknown sources. 

The attacker can also use intents to 
launch third party applications using 
the following code snippet "getPack- 
ageManager().getLaunchIntentForPackage( 
"com.bank.app"); The impact of the attack 
would depend on the app in question. Need¬ 
less to say, the attacker would need to ensure 
that the target user has the target application 
installed and must be familiar with the various 
activities and layout of the target application. 
This variation of the attack is thus one of the 


most difficult to pull off. 

IV. Attack Feasibility 

1. Exploitability - Proof of Concept 

2. Impact - High 

3. Complexity - Very High 

4. Overall - Low 

Only proof of concept code is available at 
the moment. Thus an attacker will need to 
know basic android development in order to 
write or modify the code needed to exploit the 
vulnerability. As of now, there does not exist 
any tool which would automate the develop¬ 
ment of such an app when fed a payload. 

The impact of the attack is (potentially) high 
and depends on the type of payload. In the 
case of the installer payload, an attacker would 
be able to access the call information, SMSes, 
location, files on SD card, camera and micro¬ 
phone, completely compromising the privacy 
of the user. Hence, the impact is relatively 
severe. 

Complexity is very high because the attacker 
has first got to convince the user to install 
the application. He then has to convince the 
user to comply with the instructions and tap 
repeatedly on the images. Lastly, there is a 
substantial chance of failure especially if the 
user's taps are not accurate. 

In summary, the attack is not feasible because 
it requires the attacker to be skilled enough to 
write custom code and the user to be gullible 
enough to follow through with instructions. 
The attack is also not scalable as it only works 
on devices of a specific aspect ratio. A skilled 
attacker would be able to compromise phones 
in masses using easier techniques. Therefore, 
this attack is not feasible and likely only used 
in a targeted attack. 
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V. Mitigation Strategies 

According to an unofficial source (T), the tap- 
jacking vulnerability was claimed to have been 
patched in Android version 4.0.3. However, 
I have successfully carried out this attack on 
my phone which is running Android 4.3. I 
am unable to ascertain if this is because the 
manufacturer of my phone has not applied 
the patch in their images or whether the patch 
does not exist. 

Developers can set the filterTouchesWhenOb- 
scured property to true or override the on- 
FilterTouchEventForSecurity method. Setting 
the property to true is the declarative secu¬ 
rity method and will ignore all taps when the 
app is not in the foreground. Overriding the 
method is the programmatic security approach 
and gives the developer more flexibility. He 
can choose to ignore or to process the taps 
based on certain conditions, i.e. if the app was 
in the foreground within the last 5 seconds. 
Given that even Google Play itself is vulnera¬ 
ble, it is unlikely that many developers practice 
either one of the methods above. 

This is little that users can do to guard them¬ 
selves against a tapjacking attack. But in gen¬ 
eral, users should try not to download obscure 
apps or download apps from third party app 


stores. They should look out for suspicious 
behaviour such as unsolicited app installs and 
practice common sense. 

VI. Conclusion 

I have walked through the process of planning 
and developing an application that exploits the 
tapjacking vulnerability. Even though there is 
not much an android user can do to protect 
himself from such an attack, there is little cause 
for concern as the attack is not feasible to pull 
off. Nevertheless, android users should still 
adopt good security practices to thwart other 
attacks out there. Lastly, developers should 
also play a more active role in ensuring that 
their applications are safe from such attacks. 
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